diff options
-rw-r--r-- | README | 80 | ||||
-rw-r--r-- | actions/getfile.php | 2 | ||||
-rw-r--r-- | classes/File.php | 17 | ||||
-rw-r--r-- | lib/common.php | 2 | ||||
-rw-r--r-- | lib/util.php | 12 |
5 files changed, 106 insertions, 7 deletions
@@ -2,8 +2,8 @@ README ------ -StatusNet 0.9.0 ("Stand") Beta 4 -27 Jan 2010 +StatusNet 0.9.0 ("Stand") Beta 5 +1 Feb 2010 This is the README file for StatusNet (formerly Laconica), the Open Source microblogging platform. It includes installation instructions, @@ -78,6 +78,11 @@ New this version ================ This is a major feature release since version 0.8.2, released Nov 1 2009. +It is also a security release since 0.9.0beta4 January 27 2010. Beta +users are strongly encouraged to upgrade to deal with a security alert. + +http://status.net/wiki/Security_alert_0000002 + Notable changes this version: - Records of deleted notices are stored without the notice content. @@ -198,6 +203,77 @@ Notable changes this version: - Major refactoring of queue handlers to manage very large hosting site (like status.net) - SubscriptionThrottle plugin to prevent subscription spamming +- Don't enqueue into plugin or SMS queues when disabled (breaks unqueuehandler if SMS queue isn't attached) +- Improve name validation checks on local File references +- fix local file include vulnerability in doc.php +- Reusing fixed selector name for 'processing' in util.js +- Removed hAtom pattern from registration page. +- restructuring of User::registerNew() lost password munging +- Add a script to clear the cache for a given key +- buggy fetch for site owner +- Added missing concat of </li> in Realtime response +- Updated XHR binded events to work better in jQuery 1.4.1. Using .live() for event delegation instead of jQuery.data() and checking to see if an element was previously binded. +- Updated jQuery Form Plugin from v2.17 to v2.36 +- Updated jQuery JavaScript Library from v1.3.2 to v1.4.1 +- move schema.type.php to typeschema.php like other files +- Add Really Simple Discovery (RSD) support +- Add a robots.txt URL to the site root +- error clearing tags for profiles from memcached +- on exceptions, stomp logs the error and reenqueues +- add lat, lon, location and remove closing tag from geocode.php +- Use passed-in lat long in geocode.php +- better handling of null responses from geonames.org +- Globalized form notice data geo values +- Using jQuery chaining in FormNoticeXHR +- Using form object instead of form_id and find(). Slightly faster and easier to read. +- removed describeTable from base class, and fixed it up in pgsql +- getTableDef() mostly working in postgres +- move the schema DDL sql off into seperate files for each db we support +- plugin to limit number of registered users +- add hooks for user registration +- live fast, die young in bash scripts +- for single-user mode, retrieve either site owner or defined nickname +- method to get the site owner +- define a constant for the 'owner' role of a site +- add simple cache getter/setter static functions to Memcached_DataObject +- Adds notice author's name to @title in Realtime response +- Hides .author from XHR response in showstream +- Hides .author from XHR response in showstream +- Fix more fatal errors in queue edge cases +- Don't attempt to resend XMPP messages that can't be broadcast due to the profile being deleted. +- Wrap each bit of distrib queue handler's saving operation in a try/catch; log exceptions but let everything else continue. +- Log exceptions from queuedaemon.php if they're not already caught +- Move sessions settings to its own panel +- Fixes for status_network db object .ini and tag setter script +- Add a script to set tags for sites +- Adjust API authentication to also check for OAuth protocol params in the HTTP Authorization header, as defined in OAuth HTTP Authorization Scheme. +- Last-chance distribution if enqueueing fails +- Manual failover for stomp queues. +- lost config in index.php made all traffic go to master +- "Revert "move RW setup above user get in index.php so remember_me works"" +- Revert "move RW setup above user get in index.php so remember_me works" +- move RW setup above user get in index.php so remember_me works +- hide most DB_DataObject errors +- always set up database_rw, regardless, so cached sessions work +- update mysqltimestamps on insert and update +- additional debugging data for Sessions +- 'Sign in with Twitter' button img +- Update to biz theme +- Remove redundant session token field from form (was already being added by base class). +- 'Sign in with Twitter' button img +- Can now set $config['queue']['stomp_persistent'] = false; to explicitly disable persistence when we queue items +- Showing processing indicator for form_repeat on submit instead of form +- Removed avatar from repeat of username (matches noticelist) +- Removed unused variable assignment for avatar URL and added missing fn +- Don't preemptively close existing DB connections for web views (needed to keep # of conns from going insane on multi-site queue daemons, so just doing for CLI) May, or may not, help with mystery session problems +- dropping the setcookie() call from common_ensure_session() since we're pretty sure it's unnecessary +- append '/' on cookie path for now (may still need some refactoring) +- set session cookie correctly +- Fix for Mapstraction plugin's zoomed map links +- debug log line for control channel sub +- Move faceboookapp.js to the Facebook plugin +- fix for fix for bad realtime JS load +- default 24-hour expiry on Memcached objects where not specified. Prerequisites ============= diff --git a/actions/getfile.php b/actions/getfile.php index cd327e410..9cbe8e1d9 100644 --- a/actions/getfile.php +++ b/actions/getfile.php @@ -71,7 +71,7 @@ class GetfileAction extends Action $filename = $this->trimmed('filename'); $path = null; - if ($filename) { + if ($filename && File::validFilename($filename)) { $path = File::path($filename); } diff --git a/classes/File.php b/classes/File.php index c527c4ffe..6dd9e0c06 100644 --- a/classes/File.php +++ b/classes/File.php @@ -176,8 +176,22 @@ class File extends Memcached_DataObject return "$nickname-$datestamp-$random.$ext"; } + /** + * Validation for as-saved base filenames + */ + static function validFilename($filename) + { + return preg_match('^/[A-Za-z0-9._-]+$/', $filename); + } + + /** + * @throws ClientException on invalid filename + */ static function path($filename) { + if (!self::validFilename($filename)) { + throw new ClientException("Invalid filename"); + } $dir = common_config('attachments', 'dir'); if ($dir[strlen($dir)-1] != '/') { @@ -189,6 +203,9 @@ class File extends Memcached_DataObject static function url($filename) { + if (!self::validFilename($filename)) { + throw new ClientException("Invalid filename"); + } if(common_config('site','private')) { return common_local_url('getfile', diff --git a/lib/common.php b/lib/common.php index b482464aa..b95cd1175 100644 --- a/lib/common.php +++ b/lib/common.php @@ -22,7 +22,7 @@ if (!defined('STATUSNET') && !defined('LACONICA')) { exit(1); } //exit with 200 response, if this is checking fancy from the installer if (isset($_REQUEST['p']) && $_REQUEST['p'] == 'check-fancy') { exit; } -define('STATUSNET_VERSION', '0.9.0beta4'); +define('STATUSNET_VERSION', '0.9.0beta5'); define('LACONICA_VERSION', STATUSNET_VERSION); // compatibility define('STATUSNET_CODENAME', 'Stand'); diff --git a/lib/util.php b/lib/util.php index dd8189a58..f0f262dc5 100644 --- a/lib/util.php +++ b/lib/util.php @@ -996,9 +996,14 @@ function common_enqueue_notice($notice) static $localTransports = array('omb', 'ping'); - static $allTransports = array('sms', 'plugin'); - - $transports = $allTransports; + $transports = array(); + if (common_config('sms', 'enabled')) { + $transports[] = 'sms'; + } + if (Event::hasHandler('HandleQueuedNotice')) { + $transports[] = 'plugin'; + } + $xmpp = common_config('xmpp', 'enabled'); @@ -1006,6 +1011,7 @@ function common_enqueue_notice($notice) $transports[] = 'jabber'; } + // @fixme move these checks into QueueManager and/or individual handlers if ($notice->is_local == Notice::LOCAL_PUBLIC || $notice->is_local == Notice::LOCAL_NONPUBLIC) { $transports = array_merge($transports, $localTransports); |